Emerging cloud architectures, 5G, and Industry 4.0 are opening the door to a new generation of network-level attacks and security threats that target IP networks and the data that flows through them. Current solutions lack the scale and functionality to address the growing threat volume and complexity.
At Nokia, we embed security into every layer of our IP network infrastructure. We deliver the at-scale, fully-featured protection you need to guarantee the performance and integrity of your mission critical networks.
Why IP networks are vulnerable
IP networks are changing faster than ever. With these changes come new network-level security threats and a broader attack surface:
- Increasing numbers of IoT and Industry 4.0 devices are being connected to the IP network and may be vulnerable to hijacking. Once hijacked, these devices have access to wide bandwidth to launch attacks.
- Communications Service Providers (CSPs) are embracing third party transport options, open network architectures and globalization. This makes their networks increasingly porous, and the data they transport increasingly vulnerable to confidentiality and integrity breaches.
- 5G is accelerating cloudification, which enables network functions and services to run anywhere. As network functions become more distributed, the attack surface increases.
As the attack surface grows, so does the frequency, scale and potency of the attacks themselves:
- Millions of hijacked IoT devices are used to create DDoS botnets that flood networks with terabits of data and hundreds of millions of packets per second. A new generation of attacks is using short, intense bursts of traffic to disrupt networks, making them harder to pinpoint and stop. And whether volumetric DDoS attacks target the CSP's IP network or simply use it to reach another target, they always impair the CSP's ability to maintain consistently high service quality.
- As quantum computers grow more powerful, they will inevitably crack today's public key encryption algorithms (Q-Day) and expose the sensitive data they protect with relative ease. Store now and decrypt later (SNDL) activity is accelerating this threat by placing today's data at risk.
Economic and political falllout is escalating
The economic and political fallout from man-in-the-middle attacks and data breaches is also escalating. Enterprises embracing digitalization are concerned about loss of revenue and reputation. Government is concerned at the growing disruption of critical infrastructure and services. CSPs are looking to secure new revenue from the digitalization of critical industries must be able to demonstrate that data flowing through their networks is impervious to theft or manipulation.
Addressing all these network-level threats is difficult for security solutions that run on top of IP networks. They lack the cost-effective scale and functionality to fully protect IP networks from the growing threat landscape.
We secure IP networks from within
To provide at-scale protection of IP networks, IP network security must be like packet forwarding – a high-performance, highly scalable capability of the IP network itself.
Nokia has pioneered this approach by embedding security into the DNA of every layer of our IP network infrastructure, providing high-performance, fully featured and at-scale protection for your mission-critical IP networks.
Adopt a self-defending IP network infrastructure
Our multi-layer embedded approach to IP network security begins at the IP silicon layer with the FP5 chipset at the heart of our 7750 SR and 7950 XRS series of routers. FP5 provides the filtering scale and performance headroom necessary to be a highly precise attack sensor and mitigation element. It provides the universal encryption (ANYsec) required to secure any service, over any transport, at any time. Both capabilities can be used at line rate – without impacting the performance of other services running on the same chipset. This ensures network performance and service quality remain high even during the most intense DDoS attacks.
At the network OS layer, our highly secure and hardened SR OS is designed and tested to block attempts at manipulation and unauthorized access. SR OS leverages highly granular queueing in FP5 to limit every control plane interaction to its fair-share slice of the control plane CPU. This stops volumetric attacks from overwhelming the control plane processor, without impacting legitimate control plane interactions.
At the tools and applications layer, our integrated, high-performance IPsec gateway (Nokia Secure Gateway) inherits the scale, resiliency, and security of the carrier-grade 7750 SR infrastructure. A single Nokia Secure Gateway can support up to 32,000 base stations and up to 960GB/s of encrypted traffic.
Our Nokia SR OS Firewall protects the integrity of the control and management planes between trusted zones.
At the application level, our Deepfield Defender provides multi-dimensional intelligence, analytics, and automation that use the network infrastructure to quickly identify and mitigate DDoS attacks.
Diagram representing Nokia's multi-layer approach to built-in network security
Quantum-safe network encryption for CSPs
CSPs can now leverage Nokia's quantum-safe MACsec/ANYsec encryption to ensure the confidentiality and integrity of all data flowing through their networks and protect against current and future threats associated with quantum computers. Integration with the 1830 Security Management Server (SMS) enables centralized pre-shared encryption key management across Nokia IP and optical network portfolios, and the ability to leverage quantum-based keys with Quantum Key Distribution (QKD).
Specifically designed for CSP networks, MACsec/ANYsec leverages FP5 silicon to extend the low latency and simplicity of MACsec encryption to tunnels, flows and slices engineered using MPLS, Segment Routing and IP. With FP5, network encryption becomes a universal function of the network itself.
Nokia's MACsec/ANYsec implementation provides CSPs with the freedom to transform IP services into secure IP services on demand. Instead of treating encryption as an expensive, complex and limited capability that requires significant advanced planning, SPs can turn on encryption whenever and wherever it is required. This can be done natively no matter what service or network transport is being used, and without impacting the performance of any other service running on the same chipset.
Identify and mitigate attacks automatically
Using manual solutions and forensic analysis, you can’t respond quickly enough to stop attacks from causing disruption, and accuracy is sometimes compromised.
Nokia Deepfield Defender and 7750 SR and 7950 XRS series routers allow you to identify and respond to attacks automatically. Security policies are continuously monitored and tuned using telemetry from the network. With the automated workflows in Deepfield Defender, you can update tens of thousands of IP silicon filters in seconds to respond to changing security conditions without delay.
Accuracy is high. High-scale, highly granular filters can inspect IP headers or use signature matching to identify and mitigate against sophisticated attacks, without impacting router performance. Deepfield Defender adds multi-dimensional security analytics, giving you unprecedented insight into DDoS attacks of all types. This information is combined with Deepfield Secure Genome, which provides unique visibility into internet traffic, to further minimize false positives and negatives.
With Nokia, you can block attacks with greater precision before they impact service quality.
Protect everything, everywhere, all the time
Due to the prohibitive cost and limited scale of traditional DDoS solutions, CSPs have only been able to protect a few select customers or a portion of their network from DDoS attacks.
With IP security embedded within the network, you can protect your whole network and all your customers, all the time. Deepfield Defender and 7750 SR and 7950 XRS series routers shield you from all types of attacks (such as multivector, spoofing, botnet, or carpet bombing), from any origin (inbound or outbound), towards any target (not just protected targets), on any boundary (core, peering, data center, or service edge).
By stopping all customer directed attacks at the edge of your network, service quality and network performance always remain high.
It’s about protecting your brand and business: customers want a network that won’t let them down and providing one will help to reduce churn.
Related solutions and products
Learn more about IP networks and security
7750 Defender Mitigation System
C-RAN fronthaul case study
DDoS Protection for the era of the cloud, 5G and IoT
NANOG85: The botnet DDoS problem in North American ISPs
How to overcome challenges with botnet DDoS detection
How to make your IP network DDoS-safe, across all users
7 Dec 2023
Nokia selected to modernize Worldstream’s IP edge network for cloud services expansion
28 Nov 2023
Nokia upgrades Bouygues Telecom’s IP network for increased capacity and energy efficiency
9 Nov 2023
Nokia to deploy 800GE links in world’s fastest live showcase supercomputing network at SC 2023 in Denver
2 Nov 2023
Nokia selected by LigaT to power its national IP core and transport network
4 Oct 2023
Nokia selected by Brazil’s K2 Telecom as key partner to strengthen its security and create new revenue streams
12 Sep 2023
Nokia redefines IP access, aggregation and edge networks with next generation routers
17 Aug 2023
CSPs need to address barriers to deploying AI in order to realize autonomous operations - research
15 Aug 2023
Nokia, Nomios Group to triple capacity for GÉANT European research network with new ultra-high-capacity IP backbone network
Please complete the form below.
The form is loading, please wait...
At-scale protection for mission-critical IP networks
Let’s discuss how our unique approach to IP network security delivers the protection you need to guarantee the performance and integrity of your mission-critical IP networks.